Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Transcription

1 Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

2 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice Corbin.delcarlo@mcgladrey.com

3 Today s Agenda How PCI compliance affects your institution Processes and control modifications, Breach concerns What is new to PCI V3.0 Requirements organizations struggle with Challenges and myths New requirements Updated audit and evidence requirements The Future of PCI Chip and PIN, Mobile payments Online transactions

4 How PCI Compliance Affects Your Institution

5 What is PCI DSS? Payment Card Industry Data Security Standard An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards Card brand members American Express Discover Financial JCB International MasterCard Worldwide Visa, Inc. PCI Security Standards Council Maintain PCI DSS standards and supporting documentation, and other PCI standards (i.e. PA DSS, PFI, etc)

6 Focus On The DSS Data Security Standard Industry Standard for handling credit card data Expanded Guidance Business-as-usual guidance Compliance with the DSS is an ongoing process that businesses must keep up-to-date. Security is not a point in time event Adhering to the DSS on a daily basis, will have a positive effect on your business

7 How PCI Compliance Affects Your Business Processes Costly Upgrades Network segmentation Hardware and software upgrades Vulnerability scanning Monitoring and alerting systems Fraud detection systems Assessments and Attestations Implementing controls to protect cardholder data Complete a report on compliance by a QSA (Qualified Security Assessor) or, Perform a SAQ (self assessment questionnaire) Attestation of Compliance (AOC) Fines Not being PCI DSS compliant

8 How PCI Compliance Affects Your Business Processes, continued Possible suggestions in making PCI DSS compliance run smoothly: Develop data flow diagrams Documentation of security policies, standards and operational procedures Create an inventory of your software and hardware that is in your cardholder data environment. PCI DSS is not an IT audit Have key stakeholders available during an assessment. Human resources, application owners, users of the applications, facilities, and IT specialist as needed to complete your PCI assessment.

9 Breach Concerns Hackers and large international organized crime syndicates Many small business owners Knowing what data you have and where it resides Higher monthly fees for non-compliance The fallout of a data breach The fallout can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc. A breach could result a cost of, on average $200 per card number lost

10 Information Security Initiatives, continued Key Themes Education and awareness Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today. Increased flexibility Changes in PCI DSS and PA-DSS 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise such as weak passwords and authentication methods, malware, and poor self-detection providing added flexibility on ways to meet the requirements

11 What Is New To PCI V3.0

12 Differences: 2 Vs 3 Total Changes 89 modified requirements Clarifications added more specificity to the requirement language. Making the intent of the requirement more clear (74 changes) Additional Guidance providing further guidance or integrating supplemental documents released after v2 and integrating them into v3 (5 changes) Evolving Requirement changes to deal with the most recent threats and market changes. (10 changes) New Requirements all fit into one of the above categories (16 new requirements)

13 What Isn t Changing..But Is Most of the changes in v3 were clarifications of the v2 requirements. (83%) Most of these were previously published via the Council s FAQ website or the v2 Reporting instructions. These were already requirements Wording just codifies the requirement Since this just indicate the intent of the existing requirement these are all technically required if you do version 2 or version 3 So hopefully you are already doing these.

14 Clarifications That Organizations Struggle With E-Commerce Scoping Whitepaper Published in January 2013 Clarifies the scope of PCI DSS in relation to e-commerce apps Most importantly pulls redirect systems into scope. Images courtesy of PCI SSC Information Supplement PCI DSS E- Commerce Guidelines

15 ecommerce Some Clarifications ecommerce PCI Council PCI_DSS_v2_eCommerce_Guidelines.pdf Addresses multiple scenarios, including in-house, co-source, or out-source Clarification on out-source/re-direct Merchant s website redirects consumer s browsers to an e- commerce payment processor s website Merchant is responsible for: Managing website and servers (if self-hosted), including applicable PCI DSS requirements Applicable PCI DSS requirements for managing third parties, (e.g., Requirement 12.8) Having written agreements with any third parties and ensuring they protect cardholder data on behalf of the merchant, in accordance with PCI DSS. Securing the web page(s) containing the redirection code and/or function(s).

16 Clarifications That Organizations Struggle With, continued Requirement 2.1 changing default passwords Applies to all default passwords in the CDE. Penetration tests still see default passwords most times. Requirement disk encryption Logical access must be managed separately and independently of the native operating system authentication and access control.

17 Clarifications That Organizations Struggle With, continued Requirement separation environments Prod and dev must be segregated by logical access controls No developers have access to prod Requirement Audit access to CHD Requirement that all individual user access to CHD must be logged and included in the audit trails No shared accounts without some other control

18 Clarifications That Organizations Struggle With, continued Requirement 10.6 daily log reviews Clarified that log reviews should identify suspicious activity or anomalies Allows risk management strategy to be applied to the logs reviewed Actually a bit easier but almost requires a SIEM Requirement 12.8 Vendor Management Clarified that the written service provider agreement/acknowledgement must document the responsibilities of the vendor in protecting CHD. Much more detailed program will be required

19 New Requirements Scope of assessment Evidence that card holder data only resides in the card holder data environment. Proof via Data flow documentation Interviews with business process owners Automated scans at perimeter points Image courtesy of PCI SSC

20 New Requirements, continued Requirement 2.4 Inventory of systems Inventory was part of scoping before, not it is an actual requirement Inventory will have to be very detailed Include all system components that touch or support CHD processes Image courtesy of PCI SSC

21 New Requirements, continued Requirement Protect all systems against malware Exception for systems that are not considered to be commonly affected by malicious software has been modified Target Malware on POS MacOS Safari Bugs Android Malware Must be evaluated periodically (annually) Requirement coding practices Coding protections have been updated to the new OWASP top ten Specifically added protections for: Broken Authentication Session management

22 New Requirements, continued Requirement Service Provider requirement for unique authentication for remote access at each customer premise As a merchant this will have to be part of your acknowledgement/agreement Requirement 8.6 unique token authentication If using authentication such as physical tokens, smart cards, certificates, etc, the devices must be uniquely assigned Each must only identify one user Validate audit trail, provide non-repudiation

23 New Requirements, continued Requirement 9.9 protect capture devices All devices that capture payment data (PIN PADs, Card swipes, CHIP readers, etc) must have unique tamper proof stickers Periodic review of all stickers to validate not broken or substituted Requirement 11.3 Pentesting methodology Methodology has to be documented and based on industry standard (such as NIST SP ) and include current threats and vulnerabilities Has to include the entire CDE and critical devices Has to validate any segmentation or scope reduction controls used to reduce the scope of the assessment Retention of remediation documentation.

24 New Requirements, continued Requirement File Integrity Monitoring Process must include responses to alerts generated. Requirement Vendor Management Merchant must maintain information of which PCI DSS requirements are managed by each servicer provider or by the entity Requirement 12.9 vendor acknowledgement Service providers must provide and merchants must obtain written acknowledgement of responsibilities discussed in 12.8

25 Future Dated Requirements Image courtesy of PCI SSC

26 The Future Of PCI

27 EMV Chip And PIN EMV - Europay, MasterCard, and Visa. October 1, 2015 date for having EMV (Chip/PIN) implemented. Liability of loss shifts to merchant. Consider, however: Are cards already encrypted? Are they going directly from POS to processor and not entering the network? What are the costs to implement POS? Business perspective to update. Card Not Present (ecomm, Mail In, Phone, Fax) not impacted.

28 EMV Chip And PIN Confirm issuer and processor are ready for accepting Chip and PIN. Global Operations Implement global, if not already done so. Implement in US. P2PE Point-to-Point Encryption consider EMV as part of this solution. Multiple initiatives: Some organizations are in process of implementing as part of POS upgrade tasks. Some organizations are waiting to upgrade until it is time to replace POS devices. Some organizations are waiting to see if the date is pushed back for EMV solutions. EMV will likely move forward as a result of high rate of breaches. US does 24% of card transactions and is currently creating 47% of fraud activity.

29 Mobile Payments Mobile solutions are ok if they meet PCI requirements. PCI Council web site February 2013 Mobile_Payment_Security_Guidelines_Merchants_v1.pdf Additional guidance includes: Mobile Payment-Acceptance Applications and PA-DSS FAQs PCI PTS POI Modular Security Requirements, Version 3.1 PCI Payment Application Data Security Standard (PA-DSS), Version 2.0 Accepting Mobile Payments with a Smartphone or Tablet Risks: Loss of mobile device could mean loss of payment information (physical security) Capturing transmission of information Securing the OS and checking for virus/malware

30 Mobile, continued Square solution or other type of external, approved reader or PED device. PA-DSS application that connects through mobile solution. P2PE solutions. Many trying to provide the market with a solution Telecoms Merchants Processors Software providers Diagram from MasterCard Worldwide The Future of PCI: Securing Payments in a Changing World

31 Questions?